Become a cyber pro by building your skills in the National Cyber League!

Background

CyberChef is a web application that can be used to perform multiple operations related to cybersecurity. The operations range from simple encoding/decoding to complex encryption/decryption. Some of the operations are:

• XOR
• Base64 encoding and decoding
• Caesar cipher
• Hashing, e.g. MD5 and SHA
• ROT13 cipher
• Railfence cipher
• Morse code
• AES encrypt and decrypt
• …and many more

CyberChef is an excellent tool to use for the Cryptography module for the National Cyber League and other Capture The Flag (CTF) competitions. It is also a great tool to use by any cybersecurity analyst. A nice feature is the ability to chain multiple operations (or “recipes”) and then run (”bake”) them all in one go.

Prerequisites

No prior knowledge is needed although some basic knowledge of what a cipher or hash is can help with understanding this article.

History

CyberChef was developed by an analyst at GCHQ, which then decided to make it publicly available and open source. Anybody can contribute to its development.

CyberChef is still under active development, please do not use it for anything that requires reliability or stability. CyberChef is also released under the Apache 2.0 license.

Application Layout

After you visit the CyberChef website (https://cyberchef.org/), you will see a screen similar to the one below.

There are four sections on the website.

Left section (operations)

The left side allows you to search for operations to perform. Each operation is also categorized under a specific topic, for example, hashing topic will contain all the different hashing algorithms. Once you find an operation you want to perform, you can click and drag that operation to the middle part of the site, under “Recipe”.

Middle section (recipes)

This includes a list of all the operations (also known as recipes) to perform on the input. The nice feature of CyberChef is the possibility of chaining together multiple operations together, for example, you can perform a MD5 hash followed by a base64 encoding. You can also repeat the same operation, e.g. perform a MD5 hash followed by another MD5 hash.

Recipes can be disabled by clicking on this icon

Right section (input and output)

The top portion of the right side is for the user to enter their input for the operation.

The bottom portion of the right side is for the user to see the output of the operation

The output is automatically updated whenever the input is modified

Example

In the screenshot above, the operation selected is the Vigenere Cipher with the secret key of b.

With a key length of 1, the Vigenere Cipher is also the Caesar Cipher. The input is Input and the output is Joqvu.

A nice feature of CyberChef is the URL contains the recipe and input. In this example, if you want to rerun the same operation again with the same input, you can use this URL:

https://cyberchef.org/#recipe=Vigenère_Encode('b')&input=SW5wdXQ

Examples

We will go through some examples of using CyberChef to give you an idea on the use of this powerful tool.

XOR

Let’s first start with one of the simplest operations, XOR.

Recall that one hexadecimal number is four bits, e.g. A is 1010, 9 is 1001, etc.

Also, recall that 0 XOR 0 is 0, 0 XOR 1 is 1, 1 XOR 0 is 1, and 1 XOR 1 is 0. In this case, A XOR 3 ⇒ 1010 XOR 0011 ⇒ 1001 = 9

The screenshot below shows the input as 1337 XOR BEEF XOR BEEF = 1337.

An XOR operation followed by the same XOR operation with the same key results in the same message. This can be seen in the figure below.

Base64

For our next example, let’s use Base64 encoding which is a popular encoding used on the web. As shown in the figure below, the input is Hello there! and the output is SGVsbG8gdGhlcmUh when encoded with Base64.

The gray From Base64 decoding means that decoding from Base64 is disabled. Thus, the only operation being used is the To Base64 encoding. The alphabet shows the characters that will be used — this is the default but if you wanted to change it, you could use the drop-down arrow to modify the alphabet.

Morse Code

Morse code consists of a combination of . and - to represent a character. The screenshot below shows the equivalent Morse code for the text SOS Stranded on an island. Each character is delimited by a “ “ (Space) which is specified in the recipe operation. Each word is also printed on its own line as specified by the “line feed” for word delimiter.

Not shown in the figure is a recipe to convert from Morse code to text.

Hashing with MD5

We will now look at more widely used cryptographic operations, namely MD5 hashing and then later AES encryption.

Search for and select MD5 on the left side for the list of operations. As you enter Hash of an MD5 in the input section, the output will auto-update as CyberChef performs the MD5 hash of the input. The final hash is shown in the screenshot below.

AES

The Advanced Encryption Standard (AES), originally known as Rijndael, was adopted in 2001 by NIST as the US standard for symmetric key encryption. AES is a block cipher with blocks/keys of 128 bits, 192 bits, or 256 bits. As a reminder, one hexadecimal number is 4 bits, thus 32 hexadecimal numbers is 32 * 4 = 128 bits.

In the example below, the plaintext input is shown on the top right. The ciphertext is shown on the bottom right in hexadecimal format.

In the recipe section, you can select the mode of encryption as CBC. The Initialization Vector (IV) is set as 00112233445566778899AABBCCDDEEFF and the secret key used is 0123456789ABCDEFFEDCBA9876543210. CyberChef will automatically detect the block size, so since 32 hexadecimal numbers are entered as the IV and secret key, it defaults to 128-bit block cipher encryption.

Next Steps

Try out CyberChef for yourself - https://cyberchef.org! This can prove to be useful for the next National Cyber League season, especially in the Cryptography module!

Published by DECT